We present a novel Intrusion Detection System able to detect
complex attacks to SCADA systems. By complex attack, we mean a set of
commands (carried in Modbus packets) that, while licit when considered
in isolation on a single-packet basis, interfere with the correct behavior of
the system. The proposed IDS detects such attacks thanks to an internal
representation of the controlled SCADA system and a corresponding
rule language, powerful enough to express the system's critical states.
Furthermore, we detail the implementation and provide experimental
comparative results.